Cloudflare Developers•3mo ago

authenticated origin pulls not sending the certificate

I have enabled in my domain the SSL Mode to Full (Strict) And also toggled the authenticated origin pulls However when enabling the custom log format as below

log_format clientcert '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$ssl_client_s_dn($ssl_client_serial)" $ssl_client_fingerprint';

log_format clientcert '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$ssl_client_s_dn($ssl_client_serial)" $ssl_client_fingerprint';

In the log I don't see the certificate arriving

[08/Jul/2025:13:59:32 +0300] "GET /sales/men/shopby/****.html HTTP/1.1" 200 84858 "-" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2" "-(-)" -

[08/Jul/2025:13:59:32 +0300] "GET /sales/men/shopby/****.html HTTP/1.1" 200 84858 "-" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2" "-(-)" -

Moreover if I change the verification from optional to on as expected it shows 400 Bad Request, no certificate. What could be missing to enable authenticated origin pulls and send the actual certificate? I downloaded the certificate authenticated_origin_pull_ca.pem and installed on nginx from the knowledgebase url.

2 Replies

SuperHelpflare•3mo ago

Feedback

Feedback has been submitted! Thank you :)

ioweb-grOP•3mo ago

Well on the origin server we operate a standard installation of nginx + mod security and iptables but there's no filtering active that could filter out the certificate afaik

Gaming

Programming

authenticated origin pulls not sending the certificate

Did you find this page helpful?